In the article VLANs for home networks I wrote about how VLANs and subnets can improve network security by creating different segments, usually associated with a subnet. With multiple subnets, assigning addresses in each subnet via DHCP becomes more complex.
DHCP IPv4 uses broadcast packets to ask for an IP address. VLANs create separate broadcast domains, and thereby broadcast packets don’t cross a VLAN boundary. DHCPv6 uses multicast, but those packets don’t work across a VLAN either. If we want to assign subnets to VLANs, we need also a way to assign IPs from specific subnets to each VLAN.
There are different ways to make this work:
- Use a separate DHCP server in each VLAN, serving it only. This solution is simple, but has some drawbacks. It needs separate DHCP servers in each VLAN, and if using DHCP/DNS integration to assign A/AAAA records automatically to each DHCP lease, it is more complex to configure.
- Use a single DHCP server connected to all VLANs. This centralize DHCP management, but requires a device with a port connected to each VLAN, or a trunk port carrying all the VLANs (or a mix of them), the latter requires a system than can manage VLANs itself. Could be done on switches if they offer a DHCP server too.
- Use DHCP relay/IP Helper – usually in a switch or router – to transform broadcast/multicast packets to unicast packets towards DHCP servers. This requires specific support by a network devices that manages VLANs, and a DHCP server allowing to configure different subnet settings (usually called scopes), and assign them correctly looking at the request source.
Separate DHCP server in each VLAN
This solution can work with simple DHCP implementation that cannot manage multiple subnets, and can be implemented using most consumer all-in-one devices, one in each subnet. Just let them manage assignments for their subnet. Each subnet needs to be managed separately, and DNS integration is more complex – in the worst case, if integration exist but cannot be configured to use a separate server, each subnet will need to have its DNS server also, making resolving hosts in other subnets harder or impossible.
Single DHCP server connected to all VLANs
This solution requires a device connected to all VLANs and that can manage separate subnets for each VLAN. Can be implemented on a switch/router that offers a DHCP server too, or another device that needs to be connected to all VLANs, using a trunk port or different access ports.
The DHCP server needs to be able to understand from which interface and which subnet, the request comes from, to assign an IP in the correct one. Otherwise, it may be needed to bind a different DHCP server to each interface, and it becomes alike the previous case.
This solution works well on switches that offer a DHCP server too, especially when a single switch sees all VLANs. It might not offer DHCP/DNS integration, though.
DHCP relay/IP Helper
This is a specific function in network devices, usually switches – but this function is usually available on L2+ or L3 switches. Layer 2+ are layer 2 switches with a few layer 3 features added, like this one.
The device acts a proxy for the requests. The device listens for DHCP requests, and send them to the configured DHCP servers IP addresses, transforming the broadcast/multicast request into a unicast one. When it gets an answer, it sends it back to original requester. The DHCP server sees from which IP the request came – and can infer the subnet from it to generate the correct assignment.
IP Helpers are a more generic service, and can be used to forward different types of protocols that otherwise won’t be able to work across VLANs and subnets. DHCP relay instead is a specific service that works with DHCP only, and may offer more options, like a list of DHCP servers to use, or options insertion, for example inserting option 82 (relay agent information) to add information for the DHCP server(s). Some devices offer both functions, if relays is available it is usually better to use it.
This configuration allows to centralize DHCP and DNS maanagement easily, as long as the DHCP server can be configured to serve each VLAN/subnet properly.